Should it be possible applications using the Mastodon OAuth APIs to be able to request access to your email address?
-
Should it be possible applications using the Mastodon OAuth APIs to be able to request access to your email address?
This would be an additional scope required, and be highlighted in the OAuth authorization flow that this application is requesting access to your email address.
I can't decide if this would be a good thing to implement or not.
-
@thisismissem My question is: Why would they need my email address? What would it be used for?
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
The `email` scope is standard in OpenID Connect (OIDC), so many services that implement OIDC do support this claim.
Without this scope and associated claims, you'd have to manually enter in an email address if the application requires it.
We also don't currently implement negotiating down scopes, so if you get an authorization request that's including email, and you don't want to give it, you can't disable that scope when approving the authorization request.
-
@tamitha so a service like IFTAS FediCheck might want to be able to send you an email each time we've done something to your server, or if we added social sign-in to IFTAS Connect, then we could pair your account with an existing account and send you the email notifications.
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
@tamitha client applications should almost never request this scope, it's more for software as a service type use-cases.
-
@thisismissem i feel very strongly here and I don't like it!
The reason is, Discord does that too, no not always, the services has to specifically ask for this permission as well.But a lot of services ask for it with no option to not give the email address. And they don't actually need the email.
And I can literally think of zero cases where a services that asked for it, actually used it for anything.Anything other than advertising and promotion. The only use that this discord feature got me
-
@thisismissem was unwanted emails in my inbox about some cool new thing or price reduction that I do not care about.
If this is really considered please, please always make it optional for the user as well. When the application asks for it, the user should have the ability to decline just that one.
-
@shadowwwind yeah, I'm also thinking about folks who use the privacy emails or per-service email addresses to trace data breaches.
-
@shadowwwind and 100% agree here. I think we'd definitely want a way to opt-out if it is requested, in which case applications just need to treat it like you don't have an email with the server, and instead request one if they really need it.
